MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e513d1e2ef995156b6f803f10c05052a3c1ae35f92e1c6d5bb7765a4d3b61011. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e513d1e2ef995156b6f803f10c05052a3c1ae35f92e1c6d5bb7765a4d3b61011
SHA3-384 hash: d12bd289c6324e56c1dbb1e20063b585c64fcc4a746ea99824e2d3f673557a8da34f6f9ed76b10dffe1d8cad10b3436c
SHA1 hash: ed105378c222691e40c4a15d09b51c83df4d4134
MD5 hash: 8e1c8cff8610e8932d766ab3008af305
humanhash: purple-nevada-wyoming-jersey
File name:opzi0n1.dll
Download: download sample
Signature Gozi
Create hunting rule
File size:167'936 bytes
First seen:2020-11-17 11:03:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 835da50418fe3a11ed52190a8ed68c00 (1 x Gozi)
ssdeep 3072:lMZhiVcGQDgf+OJ/zdQAYKjxLFL8615go9SfNJ7Mt9vQ90Z:+ZhiVcGB+O7QnqL861+zyBQ90
TLSH B2F3AE43446BB5BAF9AED77E90F13FD71944E11C0B0ABC0B3BA404C5D62649A4CB4ABD
Reporter JAMESWT_WT
Tags:dll Gozi isfb MEF Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching a process
Creating a window
DNS request
Searching for the window
Deleting a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e513d1e2ef995156b6f803f10c05052a3c1ae35f92e1c6d5bb7765a4d3b61011/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 11:04:05 UTC
File Type:
PE (Dll)
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
gozi_ifsb
Create hunting rule
Score:
  10/10
Tags:
family:gozi_ifsb banker trojan
Link:
https://tria.ge/reports/201117-5z3s37y2xn/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer Phishing Filter
Gozi, Gozi IFSB
Unpacked files
SH256 hash:
e513d1e2ef995156b6f803f10c05052a3c1ae35f92e1c6d5bb7765a4d3b61011
MD5 hash:
8e1c8cff8610e8932d766ab3008af305
SHA1 hash:
ed105378c222691e40c4a15d09b51c83df4d4134
Link:
https://www.unpac.me/results/84adebf1-d59e-4320-a743-fc6427bca2ff/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gozi

Executable exe e513d1e2ef995156b6f803f10c05052a3c1ae35f92e1c6d5bb7765a4d3b61011

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/825498/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/825069/
  
URLhaus
https://urlhaus.abuse.ch/url/825070/
  
URLhaus
https://urlhaus.abuse.ch/url/825497/
  
URLhaus
https://urlhaus.abuse.ch/url/825496/

Comments